공개 키 등록시 인증 절차 추가

src/routes/(fullscreen)/key/export/+page.svelte

@@ -38,11 +38,11 @@
     isBeforeContinueModalOpen = false;
     isBeforeContinueBottomSheetOpen = false;
 
-    if (await requestPubKeyRegistration(data.pubKeyBase64)) {
+    if (await requestPubKeyRegistration(data.pubKeyBase64, $keyPairStore.privateKey)) {
       await storeKeyPairPersistently($keyPairStore);
       await goto(data.redirectPath);
     } else {
-      // TODO
+      // TODO: Error handling
     }
   };
 </script>

src/routes/(fullscreen)/key/export/service.ts

@@ -13,14 +13,39 @@ export const createBlobFromKeyPairBase64 = (pubKeyBase64: string, privKeyBase64:
   return new Blob([`${pubKeyPem}\n${privKeyPem}\n`], { type: "text/plain" });
 };
 
-export const requestPubKeyRegistration = async (pubKeyBase64: string) => {
-  const res = await callAPI("/api/key/register", {
+const decryptChallenge = async (challenge: string, privateKey: CryptoKey) => {
+  const challengeBuffer = Uint8Array.from(atob(challenge), (c) => c.charCodeAt(0));
+  const answer = await window.crypto.subtle.decrypt(
+    {
+      name: "RSA-OAEP",
+    } satisfies RsaOaepParams,
+    privateKey,
+    challengeBuffer,
+  );
+  return btoa(String.fromCharCode(...new Uint8Array(answer)));
+};
+
+export const requestPubKeyRegistration = async (pubKeyBase64: string, privateKey: CryptoKey) => {
+  let res = await callAPI("/api/key/register", {
     method: "POST",
     headers: {
       "Content-Type": "application/json",
     },
     body: JSON.stringify({ pubKey: pubKeyBase64 }),
   });
+  if (!res.ok) return false;
+
+  const data = await res.json();
+  const challenge = data.challenge as string;
+  const answer = await decryptChallenge(challenge, privateKey);
+
+  res = await callAPI("/api/key/verify", {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+    },
+    body: JSON.stringify({ answer }),
+  });
   return res.ok;
 };
 

src/routes/api/key/register/+server.ts

@@ -1,10 +1,10 @@
-import { error, text } from "@sveltejs/kit";
+import { error, json } from "@sveltejs/kit";
 import { z } from "zod";
 import { authenticate } from "$lib/server/modules/auth";
 import { registerPubKey } from "$lib/server/services/key";
 import type { RequestHandler } from "./$types";
 
-export const POST: RequestHandler = async ({ request, cookies }) => {
+export const POST: RequestHandler = async ({ request, cookies, getClientAddress }) => {
   const zodRes = z
     .object({
       pubKey: z.string().base64().nonempty(),
@@ -17,6 +17,6 @@ export const POST: RequestHandler = async ({ request, cookies }) => {
     error(403, "Forbidden");
   }
 
-  await registerPubKey(userId, zodRes.data.pubKey);
-  return text("Public key registered", { headers: { "Content-Type": "text/plain" } });
+  const challenge = await registerPubKey(userId, getClientAddress(), zodRes.data.pubKey);
+  return json({ challenge });
 };

src/routes/api/key/verify/+server.ts

@@ -0,0 +1,22 @@
+import { error, text } from "@sveltejs/kit";
+import { z } from "zod";
+import { authenticate } from "$lib/server/modules/auth";
+import { verifyPubKey } from "$lib/server/services/key";
+import type { RequestHandler } from "./$types";
+
+export const POST: RequestHandler = async ({ request, cookies, getClientAddress }) => {
+  const zodRes = z
+    .object({
+      answer: z.string().base64().nonempty(),
+    })
+    .safeParse(await request.json());
+  if (!zodRes.success) error(400, "Invalid request body");
+
+  const { userId, clientId } = authenticate(cookies);
+  if (clientId) {
+    error(403, "Forbidden");
+  }
+
+  await verifyPubKey(userId, getClientAddress(), zodRes.data.answer);
+  return text("Key verified", { headers: { "Content-Type": "text/plain" } });
+};